R11B-0 SMP segfaults in unlink_free_block

Hi,
I'm seeing fairly regular segmentation faults on R11B-0 on a 2-CPU 64-
bit Linux box. It's compiled from source with no special options
(other than ./configure --prefix=/opt/erlang). I got beam.smp to dump
core, and I've attached a strack trace from gdb below.
erts would have been compiled with gcc -O3, so there's a vague
possibility that the stack trace is slightly bogus. However, it seems
to go wrong only in SMP mode, and the the offending section is called
from somewhere in time.c with the rather frightening looking comment:
/* Here comes hairy use of the timer fields!
* They are reset without having the lock.
* It is assumed that no code but this will
* accesses any field until the ->timeout
* callback is called.
*/
p->next = NULL;
p->slot = 0;
(*p->timeout)(p->arg);
The application probably has several thousand erlang processes
spawned, most of which are performing this sort of hybrid poll/
receive pattern:
loop() ->
receive
event ->
handle_event(),
after Timeout ->
poll_external_system()
end,
loop().
Is it possible my code's picking out an obscure race condition in the
new SMP code?
---
(smithers)lisa:~% gdb /opt/erlang/lib/erlang/erts-5.5/bin/beam.smp
core.12735
GNU gdb Red Hat Linux (6.3.0.0-1.96rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host
libthread_db library "/lib64/tls/libthread_db.so.1".
Core was generated by `/opt/erlang/lib/erlang/erts-5.5/bin/beam.smp
-- -root /opt/erlang/lib/erlang -p'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/libdl.so.2...done.
[...]
Loaded symbols for /usr/lib64/libz.so.1
#0 0x000000000043729e in unlink_free_block (allctr=0x677a00,
block=0x6e4a38)
at beam/erl_goodfit_alloc.c:452
452 blk->prev->next = blk->next;
(gdb) bt
#0 0x000000000043729e in unlink_free_block (allctr=0x677a00,
block=0x6e4a38)
at beam/erl_goodfit_alloc.c:452
#1 0x000000000043305b in mbc_free (allctr=0x677a00, p=Variable "p"
is not available.
)
at beam/erl_alloc_util.c:731
#2 0x0000000000436555 in erts_alcu_free_ts (type=Variable "type" is
not available.
)
at beam/erl_alloc_util.c:2221
#3 0x000000000047cafe in timer_thread_start (ignore=Variable
"ignore" is not available.
) at beam/time.c:292
#4 0x000000000050bea8 in thr_wrapper (vtwd=Variable "vtwd" is not
available.
) at common/ethread.c:440
#5 0x00000039a100610a in start_thread () from /lib64/tls/
libpthread.so.0
#6 0x000000399fdc5ee3 in clone () from /lib64/tls/libc.so.6
#7 0x0000000000000000 in ?? ()